base on SessionProbe is a multi-threaded tool designed for penetration testing and bug bounty hunting. It evaluates user privileges in web applications by taking a session token and checking access across a list of URLs, highlighting potential authorization issues.   # SessionProbe 🚀⚡ `SessionProbe` is a multi-threaded pentesting tool designed to assist in evaluating user privileges in web applications. It takes a user's session token and checks for a list of URLs if access is possible, highlighting potential authorization issues. `SessionProbe` deduplicates URL lists and provides real-time logging and progress tracking. `SessionProbe` is intended to be used with `Burp Suite's` "Copy URLs in this host" functionality in the `Target` tab (available in the free `Community Edition`). **Note**: You may want to change the `filter` in `Burps's` `Target` tab to include files or images. Otherwise, these `URLs` would not be copied by "Copy URLs in this host" and would not be tested by `SessionProbe`. # Built-in Help 🆘 Help is built-in! - `sessionprobe --help` - outputs the help. # How to Use ⚙ ```text Usage: sessionprobe [flags] Flags: -u, --urls string file containing the URLs to be checked (required) -H, --headers string HTTP headers to be used in the requests in the format "Key1:Value1;Key2:Value2;..." -h, --help help for sessionprobe --ignore-css ignore URLs ending with .css (default true) --ignore-js ignore URLs ending with .js (default true) -o, --out string output file (default "output.txt") -p, --proxy string proxy URL (default: "") -r, --filter-regex string exclude HTTP responses using a regex. Responses whose body matches this regex will not be part of the output. -l, --filter-lengths string exclude HTTP responses by body length. You can specify lengths separated by commas (e.g., "123,456,789"). --skip-verification skip verification of SSL certificates (default false) -t, --threads int number of threads (default 10) --check-all Check POST, DELETE, PUT & PATCH methods (default false) --check-delete Check DELETE method (default false) --check-patch Check PATCH method (default false) --check-post Check POST method (default false) --check-put Check PUT method (default false) Examples: ./sessionprobe -u ./urls.txt ./sessionprobe -u ./urls.txt --out ./unauthenticated-test.txt --threads 15 ./sessionprobe -u ./urls.txt -H "Cookie: .AspNetCore.Cookies=<cookie>" -o ./output.txt ./sessionprobe -u ./urls.txt -H "Authorization: Bearer <token>" --proxy http://localhost:8080 ./sessionprobe -u ./urls.txt -r "Page Not Found" ./sessionprobe -u ./urls.txt -H "Cookie: .AspNetCore.Cookies=<cookie>;Cookie: <another-cookie>=<another_value>" ``` # Run via Docker 🐳 1. Navigate into the directory where your `URLs file` is. 2. Run the below command: ```text docker run -it --rm -v "$(pwd):/app/files" --name sessionprobe fw10/sessionprobe [flags] ``` - Note that we are mounting the current directory in. This means that your `URLs file` must be in the current directory and your `output file` will also be in this directory. - Also remember to have a `Burp listener` run on all interfaces if you want to use the `--proxy` option # Setup ✅ - You can simply run this tool from source via `go run .` - You can build the tool yourself via `go build` - You can build the docker image yourself via `docker build . -t fw10/sessionprobe` # Run Tests 🧪 - To run the tests, run `go test` or `go test -v` (for more details) # Features 🔎 - Test for authorization issues - Automatically dedupes URLs - Sorts the URLs by response status code and extension (e.g., `.css`, `.js`), and provides the length - Multi-threaded - Proxy functionality to pass all requests e.g. through `Burp` - ... # Example Output 📋 ``` Responses with Status Code: 200 https://example.com/<some-path> => Length: 12345 https://example.com/<some-path> => Length: 40 ... Responses with Status Code: 301 https://example.com/<some-path> => Length: 890 https://example.com/<some-path> => Length: 434 ... Responses with Status Code: 302 https://example.com/<some-path> => Length: 0 ... Responses with Status Code: 404 ... Responses with Status Code: 502 ... ``` # Releases 🔑 - The `Releases` section contains some already compiled binaries for you so that you might not have to build the tool yourself - For the `Mac releases`, your Mac may throw a warning (`"cannot be opened because it is from an unidentified developer"`) - To avoid this warning in the first place, you could simply build the app yourself (see `Setup`) - Alternatively, you may - at your own risk - bypass this warning following the guidance here: https://support.apple.com/guide/mac-help/apple-cant-check-app-for-malicious-software-mchleab3a043/mac - Afterwards, you can simply run the binary from the command line and provide the required flags # Bug Reports 🐞 If you find a bug, please file an Issue right here in GitHub, and I will try to resolve it in a timely manner. ", Assign "at most 3 tags" to the expected json: {"id":"5638","tags":[]} "only from the tags list I provide: [{"id":77,"name":"3d"},{"id":89,"name":"agent"},{"id":17,"name":"ai"},{"id":54,"name":"algorithm"},{"id":24,"name":"api"},{"id":44,"name":"authentication"},{"id":3,"name":"aws"},{"id":27,"name":"backend"},{"id":60,"name":"benchmark"},{"id":72,"name":"best-practices"},{"id":39,"name":"bitcoin"},{"id":37,"name":"blockchain"},{"id":1,"name":"blog"},{"id":45,"name":"bundler"},{"id":58,"name":"cache"},{"id":21,"name":"chat"},{"id":49,"name":"cicd"},{"id":4,"name":"cli"},{"id":64,"name":"cloud-native"},{"id":48,"name":"cms"},{"id":61,"name":"compiler"},{"id":68,"name":"containerization"},{"id":92,"name":"crm"},{"id":34,"name":"data"},{"id":47,"name":"database"},{"id":8,"name":"declarative-gui "},{"id":9,"name":"deploy-tool"},{"id":53,"name":"desktop-app"},{"id":6,"name":"dev-exp-lib"},{"id":59,"name":"dev-tool"},{"id":13,"name":"ecommerce"},{"id":26,"name":"editor"},{"id":66,"name":"emulator"},{"id":62,"name":"filesystem"},{"id":80,"name":"finance"},{"id":15,"name":"firmware"},{"id":73,"name":"for-fun"},{"id":2,"name":"framework"},{"id":11,"name":"frontend"},{"id":22,"name":"game"},{"id":81,"name":"game-engine "},{"id":23,"name":"graphql"},{"id":84,"name":"gui"},{"id":91,"name":"http"},{"id":5,"name":"http-client"},{"id":51,"name":"iac"},{"id":30,"name":"ide"},{"id":78,"name":"iot"},{"id":40,"name":"json"},{"id":83,"name":"julian"},{"id":38,"name":"k8s"},{"id":31,"name":"language"},{"id":10,"name":"learning-resource"},{"id":33,"name":"lib"},{"id":41,"name":"linter"},{"id":28,"name":"lms"},{"id":16,"name":"logging"},{"id":76,"name":"low-code"},{"id":90,"name":"message-queue"},{"id":42,"name":"mobile-app"},{"id":18,"name":"monitoring"},{"id":36,"name":"networking"},{"id":7,"name":"node-version"},{"id":55,"name":"nosql"},{"id":57,"name":"observability"},{"id":46,"name":"orm"},{"id":52,"name":"os"},{"id":14,"name":"parser"},{"id":74,"name":"react"},{"id":82,"name":"real-time"},{"id":56,"name":"robot"},{"id":65,"name":"runtime"},{"id":32,"name":"sdk"},{"id":71,"name":"search"},{"id":63,"name":"secrets"},{"id":25,"name":"security"},{"id":85,"name":"server"},{"id":86,"name":"serverless"},{"id":70,"name":"storage"},{"id":75,"name":"system-design"},{"id":79,"name":"terminal"},{"id":29,"name":"testing"},{"id":12,"name":"ui"},{"id":50,"name":"ux"},{"id":88,"name":"video"},{"id":20,"name":"web-app"},{"id":35,"name":"web-server"},{"id":43,"name":"webassembly"},{"id":69,"name":"workflow"},{"id":87,"name":"yaml"}]" returns me the "expected json"